Comments

While it may be entirely possible, maybe even probable, that Google built a back door for the government to access email accounts w/ a search warrant I was really looking for a reference to your statement somewhere.

It was stated as a fact; but you didn't back that up with some kind of reference. Like Google license agreement, a statement from a Google employee, etc.

I would be curious as to where you got the information and what Google's response to this article has been.

If it's true that there's government backdoors in Gmail - and by extension, presumably, in all major free email systems - then that's a scandal of huge proportions.

I will close my Gmail account as soon as possible.

I don't understand how it would make sense though, given that email generally reside on the servers un-encrypted, and those operating the servers would therefore be able to comply with search warrants - why would there need to be a (remote) backdoor capability?

While I believe the government can tap your gmail account, sniif on your Internet connection, install keystroke loggers in your computer, search your horse, tap your cell phone, etc... they need justification first. And then they need to convince a judge that there is "just cause."

If they have that, then you have more problems than just a gmail account.

What exactly is a backdoor? If a provider gives the cops a generic account that can access customer data, is that a backdoor? Or what if specific accounts are allocated to actual officers and access is restricted to specific IP's within police facilities?

Is a backdoor when the police can "pull" data from a provider, even if the best access controls, audit controls, legal safeguards, oversight, transparency are in place?

If the data is "pushed", and the provider sends the data to the police is this any better? For example, is one monster unencrypted zip file with all your emails that safe?

Assuming the correct legal controls, law enforcement needs to have "access" to the data. What is the correct, non-backdoor, technical methodology that providers and law enforcement should use?

And assuming the best controls in the world, some "system" must be in place, even if its purely paper and procedures. That system is one of many systems surrounding your data. And any one of those systems, including those for law enforcement, is a possible avenue for attack, whether that be a technical hack, or social engineering, or insider knowledge.

Google, yahoo, et al. have their costs per account list (which is given to DHS etc.) published on cryptome. So it is obvious that all of these companies get sufficient requests from US law enforcement for information that they have streamlined the process so far as to be able to invoice it.

First there is law enforcement. This is done by police forces of all levels and goes through the usual channels. Warrants, court orders and the like. These orders are served to the ISPs and Telcos, then they flip a switch.

The second case are intelligence agencies. Here the ISPs and Telcos must not know when an agency does a wire tap. So all systems are required to provide a method to tap into them without the ISPs or Telcos assistance or knowledge.

The second case is new. For the US not much is published yet, but on the other side of the Atlantic ocean, the Europeans are a bit more open. At the "European Telecommunications Standards Institute" all the open and not so open agencies are involved and shape the standards to their needs. Despite the name of the institute, the American cousins are sitting at the table too.

As the invisible wire tap is new (2006 IIRC), it is not yet implemented everywhere. But we can safely assume that most newer systems already have this access point.

Actually there is a third which has been used in various parts of Europe "broadcast interception".

It is lawfull and nescasary for many agencies to intercept communications without a warent if the information is "broadcast". The definition of broadcast is what you get a Judge or politician to make it...

There was talk that EMails should be regarded just like "postcards" as "broadcast" not "private" communications.

A number of organisations are looking to take cases to court (the UK's OfCom being one) just to get judges to change the accepted meaning of words. Often they use such things as the "Proceads of Crime Act" to prevent the defendent having the ability to defend themselves and in other ways "hollow out" the justice system. These organisations staffed by the likes of (Clive Corrie of OfCom Birmingham) will perjure themselves just to get a result for their seniors and find willing co-conspiritors (Barry Cartman Secretary of R&TTE Compliance and MD of BABT for 18 years) in various trade bodies.

'For the US not much is published yet, but on the other side of the Atlantic ocean, the Europeans are a bit more open. At the "European Telecommunications Standards Institute" all the open and not so open agencies are involved and shape the standards to their needs. Despite the name of the institute, the American cousins are sitting at the table too.'

It is no big secret that the likes of the FBI where in Europe at very high level briefings with scare stories long long befor 9/11 to try and get the EU to implement laws the various US three letter agencies knew would not happen in the US unless the EU did them first (in most cases they where shown the door but like the rodents they are they kept knoring away 8(

I agree with nik. As convenient and reliable as gmail happens to be, this is unacceptable! I also plan on off-loading my email to my own server as soon as I can properly configure it for local and remote access. Unfortunately, this requires that I expose my server to the general internet (possible because I do hold a number of static IP addresses and my server has a second ethernet port to use when configuring my router), so I am more exposed to external hacks. As a lot of my work is for major manufacturing concerns, IP theft is a major concern.

Actually, it was little green men in tiny space saucers, who have hacked our systems, and are working to make us fight China, and when we destroy ourselves, the little green men, have a big party and get some good laughs.

Seriously, with what is in the media these days, the above is just about as much truth that is out there.

As for Bruce Schneier's cnn article, I am happy to read such an article that might be more true, than the first line of this post.

If only the rest of the blog, was more like Bruce's article, and not like the first line.

If only some think tanks would release some papers better than the first line of this post. GRR.

However, like others who have posted, I would like to see some references to the claim that Chinese exploited NSA backdoors.

Obviously if backdoors exist specifically for governments, they're not going to want to notify the public about them, but if Google is trying to get back to their "Do No Evil" mantra, not disclosing this information is counterproductive.

Back to the point, I don't like how Bruce's article passes this as fact, without links to references to back the claim up.

It sounded to my ears like this "subject-line-only" (plus to/from headers?) was the sort of government surveillance that would fall under some sort of "pen register"-phone-equivalent search process that falls short of a full tapping of the complete email contents. I have no first-hand knowledge of this of course.

@Grymoire
"While I believe the government can tap your gmail account, sniif on your Internet connection, install keystroke loggers in your computer, search your horse, tap your cell phone, etc... they need justification first. And then they need to convince a judge that there is "just cause."

Unfortunately, we have the Patriot Act, NSLs, no fly lists, and people being put into terror databases or on watch lists for political reasons with no judicial review. No just cause is necessary anymore.

Bruce, you cannot drop a bomb like this "
Google created a backdoor access system into Gmail accounts" and don't provide any reference to back it up. We need to know/verify if this information is true or not. How do we know it's not just your imagination speaking?

Google CEO Eric Schmidt:
“We made a strong statement that we wish to remain in China,”
“We like the Chinese people, we like our Chinese employees. We like the business opportunities there, but we’d like to do that on somewhat different terms than we have but we remain quite committed to being there.“
“Our business in China is today unchanged,“
“We continue to follow their laws, we continue to offer censored results. But in a reasonably short time from now we will be making some changes there.”

Larry Page and Sergey Brin co-founders of Google, have agreed to sell $5.5 Billion in stock.

Quote :
Drummond said that the hackers never got into Gmail accounts via the Google hack, but they did manage to get some "account information (such as the date the account was created) and subject line."

That's because they apparently were able to access a system used to help Google comply with search warrants by providing data on Google users, said a source familiar with the situation, who spoke on condition of anonymity because he was not authorized to speak with the press. "Right before Christmas, it was, 'Holy s***, this malware is accessing the internal intercept [systems],'" he said.

And all this, my friends, is why Wikipedia has become the bane of intelligent discussion everywhere on the Net.

No, an expert speaking within his field doesn't need to provide an expletive deleted APA-format bibliographic citation for every factual claim he makes in an opinion piece. That's kind of what the words "expert" and "opinion" mean. You're free to disbelieve Bruce's expert opinion if you wish, but "{{uncited}}" isn't a legitimate debate-terminating argument against an expert opinion anywhere except on Wikipedia.

A reasonable question might be phrased as "Why do you think Google has built a government backdoor into GMail?" - and for the reasons that one or two smarter commentators above have pointed out, "I can't tell you." might be a reasonable answer to that. "Where's the citation?" isn't the right way to ask the question because in the real world, the overwhelming majority of facts don't appear in the public literature and can't be reduced to a "citation."

@Matthew Skala: I'd consider it as why Wikipedia is improving intelligent discussion. People have been making provocative and often inaccurate statements in editorial speech for a long time, and it encourages me to see any movement towards fact-checking.

Just saying "[citation needed]" is rather abrupt, and your formulation is better, and as you point out there may not be any actual citation. Still, I'd rather there be some sort of movement to call people on statements, and "[citation needed]" may be a catchy slogan.

Use Google. You will find it in 30 seconds. Bruce is late to this party and there is a ton of information out there on Chinese espionage, Gmail or otherwise. For those with enough time to criticize but not type "china gmail attack" or something, here's a few links:

Sorry to tell you, but that research isn't recent. They've been working on that stuff for decades and some counters and adders are the best they've come up with. Sad, really. Secure, distributed computation could end up being one of cryptography's greatest challenges.

There is hope though. As you pointed out, researchers are furiously studying crypto schemes that let one store data on untrusted storage providers. Computing is also possible if a tamper-resistant crypto card performs and authenticates critical portions of the work. A few research proposals use the IBM crypto card to allow secure operation in an untrusted data center. MIT's Aegis secure processor can also operate in untrusted environments. I can't wait for it to get out of prototype stages. I think the easiest IT outsourcing will be storage, where files can simply be encrypted & HMAC'd with an appliance before sent out. This provides the assurance for integrity and confidentiality. A company can improve availability by choosing which and how many storage providers to use.

--How The Chinese Attacks Actually Work (January 27, 2010)
A report from Mandiant describes how cyber criminals launch sophisticated attacks that penetrate government and corporate computer networks and remain undetected to steal information and monitor activity over lengthy periods of time. The advanced persistent threat (APT) model described in the report is drawn from cases involving real attacks that Mandiant has researched over the last seven years. The company did not say if it is involved in investigating the recent attacks on Google, Adobe and other US companies. The report indicates that the majority of APT attacks have ties to China. Security software was able to detect just 24 percent of the malware used in the attacks. The report describes the seven stages of APT attacks: reconnaissance; intrusion into the network; establishing a backdoor; obtaining user credentials; installing multiple utilities; privilege escalation, lateral movement, and data exfiltration; and maintaining persistence.http://www.darkreading.com/database_security/security/attacks/showArticle.jhtml?articleID=222600139